topic Re: 2530 switches will not allow ssh or https in HPE Aruba Networking & ProVision-based

2530 switches will not allow ssh or https

karls — Thu, 31 Mar 2016 20:15:41 GMT

Right where to start, I can not for love nor money get 26 2530s switches to allow ssh or https access. The switches will accept the config and an example of one is provided.

; J9854A Configuration Editor; Created on release #YA.15.16.0006
; Ver #06:04.9c.63.ff.37.27:12
hostname "castle-comms"
timesync sntp
sntp unicast
sntp server priority 1 x.x.x.x
no telnet-server
no web-management
web-management ssl
ip route 0.0.0.0 0.0.0.0 x.x.x.x
interface 21
   name "link-to-castle-comms-2nd-switch"
   exit
interface 23
   name "link-to-castle-prefab"
   exit
interface 24
   name "ground-castle-nurse"
   exit
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-24
   untagged 25-26
   no ip address
   exit
vlan 2
   name "wired"
   untagged 1-12,24
   tagged 21,23
   no ip address
   exit
vlan 3
   name "private-wifi"
   untagged 13-20,22
   tagged 21,23-24
   no ip address
   exit
vlan 4
   name "public-wifi"
   tagged 21,23-24
   no ip address
   exit
vlan 5
   name "community"
   tagged 21,23-24
   no ip address
   exit
vlan 6
   name "servers"
   tagged 21,23-24
   ip address x.x.x.x x.x.x.x
   exit
no tftp server
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager
password operator

I can see the certs after I create them but I cant not access the switches via ssh or https. To add confusion to the matter, I can not ping the switches either once they are on the network.

The core switch is a netgear (i know, but this is being replaced with a 5500 once I resolve these issues), yet the core is working without issue.

And lastly, I can not at this time upgrade the firmware as the tftp steps is providing an error. Cant recall at this time what it is.

The rest of the network is made up of 1920s switches which are working fine, ssh, https all good.

Steps taken, rebuild the switches, deleted crypto keys for ssh and pki. Reconfig those but still no joy. Also rebuild the switches offline and provided myself with a static IP and still no joy.

Apart from launch these switches into the sea, I am questioning either fireware or hardware failure.

Has anyone seen this before or any tips on next steps.

Thanks....

Re: 2530 switches will not allow ssh or https

EricAtHP — Thu, 31 Mar 2016 21:27:56 GMT

I have a different 2530, a J9774a, and on mine an all other recent provision based switches, SSH is enabled by default. I am running YA.16.01 software.

I am concerned that you can't even ping your switch. That makes me think that your VLAN configuration isn't quite right. I assume that ports 23 and 24 connect to the rest of your network and that you want to manage the switch in vlan 6. But ports 23 and 24 are configured slightly differently. Port 23 doesn't carry any untagged traffic and port 24 carries VLAN 2 untagged. Is that intentional?

I think there are two options to figure this out.

1. Can you share the config of the port that this switch connects to on the netgear? And let us know which port on the 2530 it is connecting to.

2. Or you can reset to factory defaults and connect the switch to a port on the netgear that is untagged with DHCP. The 2530 will get a DHCP address and then you can validate connectivity and update the software before reconfiguring for your network.

Re: 2530 switches will not allow ssh or https

karls — Fri, 01 Apr 2016 08:17:42 GMT

So this switch is connected to two other 2530's on ports 21 and 23. Port 24 was to an additional netgear switch that only required vlan 2, so that was untagged. The tagged vlans on 24 can be ignored, so I must remove those.

So this switch is not directly connected to the core, so kind of bad example. But one that is which is in the same position, has on its uplink at the core, untagged vl 2, tagged vl 3-6.

vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-48
   untagged 49-52
   no ip address
   exit
vlan 2
   name "wired"
   untagged 1-48
   no ip address
   exit
vlan 3
   name "private-wifi"
   tagged 48
   no ip address
   exit
vlan 4
   name "public-wifi"
   tagged 48
   no ip address
   exit
vlan 5
   name "community"
   tagged 48
   no ip address
   exit
vlan 6
   name "servers"
   tagged 48
   ip address x.x.x.x
   exit

Re: 2530 switches will not allow ssh or https

karls — Fri, 01 Apr 2016 08:49:12 GMT

Also forgot to say that the switches are bleeding their config, which I see was a fix in one of the firmware updates.

Re: 2530 switches will not allow ssh or https

16again — Fri, 01 Apr 2016 17:26:37 GMT

divide and conquer strategy:
just to make a switch port untagged in vlan6 , hook up a PC and test from there. No need to bother about certificates private key stuff if you can't even ping